[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 4751fd: 9pfs: local: fix fchmodat_nofollow()
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 4751fd: 9pfs: local: fix fchmodat_nofollow() limitations |
|
Date: |
Thu, 10 Aug 2017 10:41:42 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 4751fd5328dfcd4fe2f9055728a72a0e3ae56512
https://github.com/qemu/qemu/commit/4751fd5328dfcd4fe2f9055728a72a0e3ae56512
Author: Greg Kurz <address@hidden>
Date: 2017-08-10 (Thu, 10 Aug 2017)
Changed paths:
M hw/9pfs/9p-local.c
M hw/9pfs/9p-util.h
Log Message:
-----------
9pfs: local: fix fchmodat_nofollow() limitations
This function has to ensure it doesn't follow a symlink that could be used
to escape the virtfs directory. This could be easily achieved if fchmodat()
on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but
it doesn't. There was a tentative to implement a new fchmodat2() syscall
with the correct semantics:
https://patchwork.kernel.org/patch/9596301/
but it didn't gain much momentum. Also it was suggested to look at an O_PATH
based solution in the first place.
The current implementation covers most use-cases, but it notably fails if:
- the target path has access rights equal to 0000 (openat() returns EPERM),
=> once you've done chmod(0000) on a file, you can never chmod() again
- the target path is UNIX domain socket (openat() returns ENXIO)
=> bind() of UNIX domain sockets fails if the file is on 9pfs
The solution is to use O_PATH: openat() now succeeds in both cases, and we
can ensure the path isn't a symlink with fstat(). The associated entry in
"/proc/self/fd" can hence be safely passed to the regular chmod() syscall.
The previous behavior is kept for older systems that don't have O_PATH.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Tested-by: Zhi Yong Wu <address@hidden>
Acked-by: Philippe Mathieu-Daudé <address@hidden>
Commit: 473a321122fd3c2c327a5a5d01a9a41f26f1734c
https://github.com/qemu/qemu/commit/473a321122fd3c2c327a5a5d01a9a41f26f1734c
Author: Peter Maydell <address@hidden>
Date: 2017-08-10 (Thu, 10 Aug 2017)
Changed paths:
M hw/9pfs/9p-local.c
M hw/9pfs/9p-util.h
Log Message:
-----------
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
Just a single fix for an annoying regression introduced in 2.9 when fixing
CVE-2016-9602.
# gpg: Signature made Thu 10 Aug 2017 13:40:28 BST
# gpg: using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <address@hidden>"
# gpg: aka "Greg Kurz <address@hidden>"
# gpg: aka "Greg Kurz <address@hidden>"
# gpg: aka "Gregory Kurz (Groug) <address@hidden>"
# gpg: aka "[jpeg image of size 3330]"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2
* remotes/gkurz/tags/for-upstream:
9pfs: local: fix fchmodat_nofollow() limitations
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/b38df311c174...473a321122fd
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 4751fd: 9pfs: local: fix fchmodat_nofollow() limitations,
GitHub <=